How do I provision users from a third party with Azure/EntraID?
Required Feature Flags
The following feature flags and permissions are required to use this feature:
Feature Flag | Technical Name | Description |
SCIM User Provisioning |
| Enables SCIM-based automatic user provisioning from your identity provider |
Required Permissions:
Manage security settings (
admin.security.settings) β to generate the SCIM URL and secret and configure provisioning
Overview
Using the SCIM specification, you can automatically import users from your Identity Provider (such as Active Directory/EntraID) into evaluagent.
Prerequisites
To provision users to evaluagent, you must be using one of the supported third-party user management solutions:
Azure Active Directory / EntraID
OKTA
If the solution you're using is supported, proceed through this guide to get set up and allow users to be synchronised.
Getting Started
Go to Settings > Security settings > click the SCIM Provisioning tab > click Generate.
You may see a spinning icon for a few seconds while the request is being processed.
Upon completion, you will see two fields:
_SCIM Provision URL_
_SCIM Secret_
Please Note
The _SCIM Secret_ will only be shown once, and thereafter, only the URL will be visible when you revisit the page. This is an intentional security feature.
Take note of the URL and the Secret displayed here, as they will be required later when setting up your application in Azure Active Directory/EntraID.
In terms of setting up on evaluagent, that is it. Next, we will look at what you need to do in Azure.
Setting up on Azure Active Directory/EntraID
First, you must ensure you have the relevant permissions in Azure to manage users, groups, and other enterprise applications.
Creating the application
This part of the process is temporary while our application is pending review from Microsoft.
Click on _Enterprise Applications_ located on the sidebar on the left and then click _New Application._
Select _Create your own application_ on the row of controls along the top. The _Create your own application_ details panel will slide out from the right.
Provide the application name (e.g., _evaluagent_) and select the bottom radio button option that reads _Integrate any other application you don't find in the gallery._ Once done, click _Create_.
Group Creation
Next, navigate to the _Group Creation_ screen and create an evaluagent access group. This name can be anything you like, but ideally it would include "evaluagent" in the title to make it easily identifiable.
Ensure that the _Group Type_ is set to Security and the _Membership Type_ is set to _Assigned_. Assign an owner to the group and click _Create._
Once your group has been created, click _Enterprise applications_ on the sidebar and select the evaluagent application.
You can add as many groups as you like. However, it is important to note that this will not filter down to nested groups -- they would need to be added individually.
Next, set up the connection details so that Azure knows how to connect with evaluagent and where to send the data.
In the left-hand sidebar, click _Provisioning_ and then click _Get Started_. In the _Provisioning Mode_ dropdown, select the _Automatic_ option. When you do, the rest of the user interface will display.
Attribute Mapping
Next, there are some default Azure mappings that need to be changed. The accordion below _Admin Credentials_ should be _Mappings_. Open that and click on _Provision Azure Active Directory Users._
Click on the row, and the _Edit attribute_ panel will slide out from the right. From there, select _yes_ on the dropdown labelled _Match objects using this attribute_ and set the value in the field _Matching precedence_ to 2. Ensure that _Apply this mapping_ is selected as _Always_.
Provisioning
Once the mappings are completed, save them and navigate back to the _Provisioning_ tab. Click _Start Provisioning_ so Azure starts sending data to evaluagent.
Please Note
_The initial cycle can take up to 40 minutes to provide data to evaluagent._
Only users who are assigned to the group we assigned to the application will be considered applicable by Azure for provisioning. If they are not in a group assigned to the application, Azure will skip over them.
Handling Third-Party Users in evaluagent
Once users are being sent from Azure to evaluagent, they're placed into a "Pending" state and action is required to activate them, similar to how manual user creation works.
Go to User Management > Add & edit users and review users with the Pending label.
If there are pending users that need actioning, a count in the _Pending Users_ tab shows at a glance whether any users are waiting.
When a third-party user management solution is used on a contract, manual user creation is disabled in evaluagent, as user management should be handled through the third-party platform.
FAQs
Why are certain users being skipped from provisioning?
This could occur for two reasons:
The user isn't in an assigned group that is assigned to the evaluagent application, and therefore isn't seen by Azure as eligible for provisioning out of Active Directory.
The user has a missing attribute that has a matching precedent, such as a username or email address.
Why does Azure say that the provisioning cycle has been quarantined?
This typically occurs when there's been an error in one of the attempts to communicate with evaluagent. Azure provides details of what happened in the _Provisioning Logs_. When a cycle is in quarantine, it reattempts in a later cycle which is typically pushed back in time.